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© Secure file erasure. 



© A method (10) of deleting a file (20) stored on a 
permanent storage medium (15) of a computer sys- 
tem (16) comprises the steps of selecting (11) the 
stored file (20) for deletion, encrypting (13) the 
stored file (20) using a random key (21), and delet- 
ing (14) the file directory pointer to the file (20). The 
present invention permits a user to erase files from a 



permanent storage spaced in a manner that makes 
the file totally unreadable by others. If the user does 
not expect to undelete the file, a one-way encryption 
algorithm (18) may be used to increase the speed of 
secure deletion of the file. If the user does not 
destroy the key, he or she may recover the file. 



in 

CO 

r% 
in 
in 
o 

Q. 



USER ENTERS A 
DELETE COMMAND 



KEY 












14 



NORMAL DELETE 
PROCESS - 
DELETE FILE 
DIRECTORY 
POINTER 



INVOKE ENCRYPTION 
ALGORITHM TO ENCRYPT 
THE RLE 



/ 



17 



TWO-WAY DELETE 




ONE-WAY DELETE t 

V 



18 



AUTOMATIC 



.23 



FILE IS 
DELETED 



15- 
20 



HARD 
DISK 



M-j FILE 



RESTORE DIRECTORY 
POINTER 



DECRYPT DATA Fl£ — 1 



COMPUTER SYSTEM 



16 



1 



EP 0 575 765 A1 



2 



BACKGROUND 

The present invention relates generally to com- 
puter systems, and more particularly, to methods 
of deleting (erasing) files stored on permanent stor- 
age media of a computer system that eliminates 
the possibility of recovery of the data as a readable 
file by unauthorized persons. 

A traditional method for deleting a file from 
permanent storage space (a hard disk, for exam- 
ple) is to delete the pointer contained in the file 
directory that points to the information blocks com- 
prising the file. The actual contents of the informa- 
tion is left untouched. Using a utility program, the 
contents of every block of storage space can be 
scanned for sensitive information. 

More particularly, although storage space is 
freed up for other uses, the file's data content is 
left untouched until the storage space is actually 
used for another file storage. This is inherently 
dangerous because the user believes the data is 
gone.yet a skilled intruder can use powerful utility 
tools to scan for these deleted files. 

Another conventional method of file deletion 
requires a user to overwrite O's and 1's over the 
entire data file as to remove any magnetic rem- 
nants of the removed information. This method is 
slow because the system must write O's and 1's 
many times to ensure that the stored information 
cannot be recovered. 

It is therefore an objective of the present inven- 
tion to provide a method for deleting files stored on 
permanent storage media. It is a further objective 
to provide for a file deletion method whereby files 
are permanently deleted without the possibility of 
recovery. It is a further objective to provide for a 
file deletion method whereby files are deleted in a 
manner that does not permit recovery by a person 
other than the original user or someone authorized 
by the user, and thus permits recovery of the 
deleted file. 

SUMMARY OF THE INVENTION 

In order to provide for the above and other 
objectives and features, the present invention pro- 
vides for a method wherein an encryption algorithm 
is used to encrypt the data in a stored file when 
deleting the file. The encryption algorithm, such as 
a Type I or Type II encryption algorithm employed 
in a Secure Data Network Protocol (SDNP) proces- 
sor manufactured by the assignee of the present 
invention, may be employed during file erasure to 
eliminate the weaknesses mentioned with regard to 
the conventional file erasure methods. The SDNP 
processor includes an integrated circuit chip that 
incorporates a selected one of the NSA-developed 
encryption algorithms. The Type 1 algorithm allows 



encryption of files containing classified information, 
and has a level of encryption that permits the 
encrypted files to be transferred to others without 
risk of exposure of the data contained in the files. 
5 The Type II algorithm is similar to the Type I 
algorithm but has been developed for nonclassified 
but sensitive data. 

In accordance with the present invention, when 
a user requests deletion of a stored file, the file is 

w encrypted so that it is not readable. The erasure is 
performed by using the encryption algorithm so 
that the contents of the file cannot be retrieved by 
other users after the erasure. Both one way and 
two way file deletion may be employed. In the one 

75 way deletion mode, if the user does not expect to 
"undelete" the data, a one-way encryption algo- 
rithm is used to increase the speed of secure 
deletion of the file. In the two way deletion mode, 
the user has the option to undelete the file by 

20 decrypting the encrypted file or disk storage area 
where the deleted file is stored, as long as this 
operation is done before the storage space is used 
by other software programs. 

When the secure deletion method of the 

25 present invention is used, no utility program can 
recover any information from the deleted file. To an 
intruder, the storage space is encrypted to look like 
random bits. Therefore, no information can be re- 
trieved nor derived from the encrypted, deleted file. 

30 The present invention provides an enhance- 

ment for the existing file deletion function of the 
operating system any computer system so that if a 
user wants to securely delete the contents of a 
particular file, the file will be unreadable by anyone 

35 else. Using the present file deletion scheme em- 
ploying the encryption algorithm when deleting 
data files eliminates the vulnerability present in 
conventional file deletion methods. The present in- 
vention thus permits a user to erase files from a 

40 permanent storage space (a hard of floppy disk, for 
example) and in a manner that makes the file 
totally unreadable by others. 

The present invention also comprises a method 
of processing a file stored on a permanent storage 

45 medium of a computer system that eliminate ac- 
cess to the file by unauthorized persons. The 
method comprises selecting a stored file, encryp- 
ting the stored file using a random key, and then 
deleting a file directory pointer to the data file. The 

so random key is stored externally and is in posses- 
sion of the authorized user of the computer sys- 
tem. To recover the data, the method restores the 
file directory pointer to the data file, and decrypts 
the encrypted stored file using the same random, 

55 externally stored, key used to encrypt the file to 
permit access to the data contained in the stored 
file. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

The various features and advantages of the 
present invention may be more readily understood 
with reference to the following detailed description 
taken in conjunction with the accompanying draw- 
ing, and in which the sole figure illustrates a meth- 
od in accordance with the principles of the present 
invention that securely deletes a file stored on a 
storage medium of a computer system. 

DETAILED DESCRIPTION 

Referring to the drawing figure, it illustrates a 
secure file erasure method 10 in accordance with 
the principles of the present invention that securely 
and permanently deletes a file 20 stored on a 
storage medium 15 of a computer system 16. The 
computer system 16 includes a hard disk em- 
ployed as the storage medium 15, and has a 
keyboard or mouse device (not shown) to provide 
inputs to the computer system 16. The computer 
system 16 includes an operating system that con- 
tains a conventional delete file command as one of 
its functions. The delete file command is employed 
to delete files 20 stored on the storage medium 15. 

In accordance with the principles of the present 
invention, if a user of the computer system 16 
desires to delete the file 20 stored on the storage 
medium 15, the user enters a delete file commend 
1 1 by selecting from a menu on a computer screen 
(not shown) or by typing a delete file command 
sequence on the keyboard. A firmware processing 
routine in accordance with the principles of the 
present invention that is stored in a ROM or as an 
application program that runs on the computer sys- 
tem 10 intercepts the delete, file command and 
prompts the user on the display screen 17 if a 
secure deletion of the stored file 20 is desired, 
illustrated by decision block 12. If no secure file 
deletion is desired, then the method 10 of the 
present invention proceeds to a normal delete file 
process 14. This normal delete file process may be 
a traditional file deletion process described in the 
Background section, wherein a pointer contained in 
the file directory of the storage medium 15 that 
points to the information blocks comprising the file 
20 is deleted. In this situation, the actual contents 
of the information in the file 20 is left untouched. 

If, however, a secure deletion of the file 20 is 
desired, then an encryption algorithm 13 is used to 
encrypt the file 20 whose contents is to be deleted. 
The encryption algorithm 13 may comprise a Type 
I or Type II algorithm employed in a Secure Data 
Network Protocol processor developed by the as- 
signee of the present invention. This algorithm is 
incorporated in an integrated circuit chip that may 
be purchased from the National Security Admin- 



istration (NSA). The chip is incorporated in a Se- 
cure Data Network Protocol (SDNP) processor 
manufactured by the assignee of the present inven- 
tion, which may be employed for the purposes of 

5 encryption of the file 20. Once the file 20 has been 
encrypted by the encryption algorithm 13 the 
method proceeds to the normal deletion process 
step 14 which deletes the directory pointer. 

The specifics of the encryption algorithm em- 

70 ployed in the present method 10 are as follows. 
Both one way and two way file deletion modes 17, 
18 may be employed using the encryption al- 
gorithm 13. In the one way deletion mode 17, 
wherein the user does not expect to "undelete" the 

75 data, a one-way encryption algorithm is used to 
increase the speed of secure deletion of the file 20. 
In the one way mode 17, the data in the file 20 is 
encrypted using a random external key 21, and 
then the key 21 is automatically destroyed 19 and 

20 cannot be used to recover the data. Consequently, 
without the key 21, the data cannot be decrypted 
and is thus unreadable by anyone. 

In the two way mode 18, the data in the file 20 
is encrypted using the random key 21 , but the key 

25 21 is not destroyed 19 and may be used by the 
user to recover the data. The key 21 is stored or 
retained, by the user in a secure location external to 
the computer system 16. In the two way deletion 
mode 18, the user has the option to undelete the 

30 file 20 by restoring the directory pointer 23 decryp- 
ting 24 the encrypted file 20 or disk storage area 
where the deleted file 20 is stored, as long as this 
operation is done before the storage space is used 
by other software programs. Consequently, the 

35 data cannot be decrypted and is thus unreadable 
by anyone without the key 21. If the secure file 
deletion method 10 of the present invention is 
used, no utility program can recover any informa- 
tion from the deleted file 20. To an intruder, the 

40 storage space is encrypted to look like random 
bits. Therefore, no information can be retrieved nor 
derived from the encrypted, deleted file 20. 

In summary, then, the method 10 of present 
invention comprises processing the file 20 stored 

45 on the permanent storage medium 15 of the com- 
puter system 16 which eliminate access to the file 
by unauthorized persons. The method includes se- 
lecting the stored file 20 and entering a delete 
command 1 1 , encrypting the stored file 20 using a 

50 random key 21 and by operating on the file 20 with 
the encryption algorithm 13, and then deleting 14 a 
file directory pointer to the file 20. To recover the 
file 14, the method 10 restores the file directory 
pointer 23 to the file 20, and decrypts 24 the 

55 encrypted stored file 20 using the random key 21 
to permit access to the data contained in the stored 
file 20. 
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The present invention thus permits a user to 
erase files 20 from a permanent storage space and 
in a manner that makes the file totally unreadable 
by others. The erasure is performed by using the 
encryption algorithm so that the contents of the file 5 
20 cannot be retrieved after the erasure. This is 
different from the traditional file erasure method 
discussed in the Background section where only 
the file directory information is deleted or the point- 
er to the file 20 is deleted. In this conventional 10 
method storage space is freed up for other uses, 
the file's data content is left untouched until the 
storage space is actually used for storage of an- 
other file. This is inherently dangerous because the 
user believes the data is gone, yet a skilled in- 75 
truder can use powerful utility tools to scan for 
these deleted files. By using the present file era- 
sure method employing an encryption algorithm 
when deleting files 20 eliminates this vulnerability. 

Thus there has been described new and im- 20 
proved methods of deleting (erasing) files stored 
on permanent storage media of a computer system 
that eliminates the possibility of recovery of the 
data as a readable file by unauthorized persons. It 
is to be understood that the above-described em- 25 
bodiment is merely illustrative of some of the many 
specific embodiments which represent applications 
of the principles of the present invention. Clearly, 
numerous and other arrangements can be readily 
devised by those skilled in the art without departing ' 30 
from the scope of the invention. 

Claims 

1. A method (10) of deleting a file (20) stored on 35 
a permanent storage medium (15) of a com- 
puter system (16), said method (10) character- 
ized by the steps of: 

selecting (1 1 ) a stored file (20) for deletion; 

encrypting (13) the stored file (20) using a 40 
random key (21); and 

deleting (14) a file directory pointer to the 
file (20). 

2. The method (10) of Claim 1 further character- 45 
ized by the step of: 

after encrypting (13) the stored file (20) 
using the random key (21), destroying (19) the 
random key (21). 

50 

3. The method (10) of Claim 1 or 2 further char- 
acterized by the steps of: 

at a time prior to overwriting of storage 
locations of the encrypted file (20), restoring 
(23) the file directory pointer to the file (20); 55 
and 

decrypting (24) the encrypted stored file 
(20) using the random key (21) to permit ac- 



cess to the stored file (20). 
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